Obstructions and Requirements for Coercion Resistance

It is self evident that a fair election must output a correct result, based on the ballots cast. However, it is unreasonable to expect a high quality (i.e. non-garbage) output from a system that receives poor input. In the context of elections, one can argue that “garbage” input are votes that do not represent the will of the voters. Votes that are coerced via threats or bribes. As internet voting takes place in an uncontrolled environment, coercion is an important security concern. In order to defend against coercion, a voting system must give voters the chance to seemingly comply with coercion requests while in reality they are able to ignore them. This work aims to improve the framework used for coercion resistance of internet voting systems, by identifying and analysing the methods that can be used to achieve it. This is accomplished in two ways. Firstly, by summarising existing theoretical limitations regarding the design of such systems and generalising a result regarding the requirements for achieving coercion resistance to fit a wider range of voting system designs. Secondly, by evaluating and comparing deployed and academic internet voting systems. In the context of this evaluation, this work includes a two-step attack as a weaker but more practical variant of the impersonation (simulation) attack, often used in defining coercion resistance. Such an attack is relevant when the authentication system used for voting is also used for other services as in Estonia and Norway. In that case, the potential cost of identity theft may be greater than the cost of non-compliance. The consequences as well as potential countermeasures to the attack are also examined.